US7817549B1 - Flexible flow-aging mechanism - Google Patents

Flexible flow-aging mechanism Download PDF

Info

Publication number
US7817549B1
US7817549B1 US11479176 US47917606A US7817549B1 US 7817549 B1 US7817549 B1 US 7817549B1 US 11479176 US11479176 US 11479176 US 47917606 A US47917606 A US 47917606A US 7817549 B1 US7817549 B1 US 7817549B1
Authority
US
Grant status
Grant
Patent type
Prior art keywords
flow
network
packet
memory
identifier
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US11479176
Inventor
Rahul Kasralikar
Jeffrey Fowler
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
RPX Corp
Original Assignee
Extreme Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing packet switching networks
    • H04L43/02Arrangements for monitoring or testing packet switching networks involving a reduction of monitoring data
    • H04L43/026Arrangements for monitoring or testing packet switching networks involving a reduction of monitoring data using flow generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

A flow identifier is stored in a memory to identify a network flow. The memory is capable of storing multiple flow identifiers for multiple flows. Packet statistics are collected for each of the flows. The packet statistics are compared and a flow identifier is subsequently selected and removed from the memory.

Description

FIELD

Embodiments of the invention relate to the handling of packet flows through a network switch, and particularly to flow-aging in a switch.

BACKGROUND

A network flow, also referred to herein as simply a “flow,” is a sequence of network packets sharing certain characteristics. A common set of characteristics used to define a flow is referred to as a “5-tuple.” A 5-tuple is a sequence of packets sharing the same source and destination address, source and destination port, and protocol (5 values total, hence the “5-tuple” label.) Other combinations of flow characteristics may also be used to define a network flow.

Many network switches employ filters or other devices/mechanisms to control the flow of network traffic through the switch. One approach to filtering and/or control is a flow-based approach. In one example of a flow-based approach, a list/table of various flow entries (e.g., as defined by the 5-tuple) is maintained at the switch. When a packet enters the switch, the packet is checked to see if it matches a flow entry in the list/table. Based on the results of checking the packet, an action is then taken on the packet (e.g., blocking, forwarding, redirecting, etc.).

The list/table of flow entries is typically stored in a finite memory/cache. Thus, only a limited number of flow entries can be stored at a time. When the memory becomes full of entries, a decision must be made to determine how to handle new entries seeking inclusion in the list/table (i.e., whether to add or remove an entry from the list/table). This decision-making process and the subsequent actions associated with removing flow entries to make room for new entries is referred to herein as aging, or flow-aging.

Existing flow-aging mechanisms rely on packet counters or hardware refresh bits to decide whether a flow is to be aged out or not. These mechanisms are limited in that the aging process is typically based on simple packet-difference arithmetic, providing very little flexibility for aging out flows.

SUMMARY

A flow identifier for a network flow is received from an intrusion prevention system (IPS) device and a request is made for the flow identifier to be stored in a memory. The memory is capable of storing multiple flow identifiers for multiple flows and provides a basis for forwarding packets directly through a switch. Packet statistics (beyond basic packet counts from a single counter) are collected for each of the flows. Rather than relying on simple packet counts or status bits for a single flow, the packet statistics for the different flows are analyzed and corresponding flows are prioritized. Based on the prioritization and a policy, a determination is made whether to remove a flow identifier from memory to allow the received flow identifier to be added.

BRIEF DESCRIPTION OF THE DRAWINGS

The following description includes discussion of various figures having illustrations given by way of example of implementations of embodiments of the invention. The drawings should be understood by way of example, and not by way of limitation.

FIG. 1 is a block diagram of an embodiment of the invention having a flow-aging manager.

FIG. 2 is a flow diagram of an embodiment of the invention.

DETAILED DESCRIPTION

A network switch operates in conjunction with an external intrusion prevention system (IPS) to provide network security (e.g., threat detection and/or mitigation). The switch redirects traffic to the IPS for further inspection, sometimes referred to as “deep packet inspection.” Most external IPS devices do not have the bandwidth capabilities to inspect traffic in real-time without significantly throttling or bottlenecking the traffic. Thus, switches typically redirect only a portion of the overall traffic to an IPS device (based on a policy, a set of rules or parameters, etc.)

The IPS device analyzes the redirected traffic to determine whether a particular flow is good (e.g., safe, not a threat, etc.) or bad (e.g., viruses, worms, denial of service (DoS) attacks, etc.). These determinations are communicated back to the switch to provide a basis for future redirection decisions. For example, an IPS device might determine that a particular flow (e.g., flow B) is a good flow. The IPS sends a notification to the switch identifying flow B as a good flow. The switch stores a flow identifier (e.g., a 5-tuple) for flow B in a memory. Thus, once a flow identifier for flow B is stored in the memory, any subsequently received packets associated with flow B will generate a match with the flow B identifier in memory, causing the switch to forward the flow B packets through the switch without redirecting them to the IPS device (because it has already been determined that flow B packets are safe for the network).

The memory used for storing flow identifiers can be any memory (e.g., random access memory (RAM), read-only memory (ROM), flash memory, etc.). In one embodiment the memory used to store the flow identifiers is a content addressable memory (CAM). In another embodiment, a ternary CAM, or TCAM, is used to store the flow identifiers. Given that a memory has a finite number of storage locations, the addition of new flow identifiers eventually causes the memory to become full. When the memory is full, new flow identifiers cannot be automatically added to the memory. Instead, a decision must be made at the switch either to remove a flow identifier from the memory (to make room for a new flow identifier) or to deny the new flow identifier from being added to the memory. A flow-aging mechanism handles the decision-making process for adding and/or removing flow identifiers from the memory.

In one embodiment, flow-aging decisions are based both on dynamically updated packet statistics collected at the switch and a flow-aging policy or set of rules. Packet statistics may include cumulative packet counts for different flows, a change or delta in a packet count over a time interval, a ratio of two cumulative packet counts, a ratio of a change or delta in two packet counts over a time interval, etc. The variety of packet statistics provides flexibility to the decision-making process for adding and/or removing flow identifiers from the memory. In another embodiment, the flow-aging mechanism compares existing flows or other information such as forwarding entries from a media access control (MAC) table, a routing table, access control lists (ACLs) or other rules installed by other applications to aid in the decision-making process for adding/removing flow identifiers from the memory.

FIG. 1 illustrates an embodiment of the invention having a flow-aging manager 120. Traffic 101 enters switch 110 where it is received by flow handler 112. Flow handler 112 initially examines traffic 101 to find packets having a recognized flow identifier. A table/list of flow identifiers is stored in memory 114. Memory 114 can be any memory/cache, including ROM, RAM, flash memory, CAM, etc. In one embodiment, the table/list of flow identifiers identifies flows that have been designated as “good” flows (discussed in more detail below). In other embodiments, the table/list identifies flows that meet other specified criteria.

When a packet enters flow handler 112, the packet is examined to determine its flow identifier (e.g., the 5-tuple that includes source and destination address, source and destination port, and IP protocol). Flow handler 112 then compares this flow identifier against entries stored in memory 114. If flow handler 112 finds a matching entry in memory 114, the packet is associated with a good flow and is forwarded through switch 110 without being redirected. If, on the other hand, flow handler 112 does not find a matching entry in memory 114, the packet is redirected to traffic selector 116.

Traffic selector 116 monitors various conditions in traffic 101 and includes various rules/policies for the selection and redirection of flows to the external IPS device 130. IPS 130 performs deep packet inspection to determine whether a packet/flow is safe or whether it is a threat to the stability/integrity/functionality of the network and/or its instrumentalities. If IPS 130 determines that a particular flow is safe for the network, it is considered a “good” flow. IPS 130 notifies flow-aging manager 120 of the good flow and flow-aging manager 120 forwards a flow identifier associated with the good flow to flow-handler 112. Flow-handler 112 attempts to store the flow identifier in memory 114. Assuming space is available for a new entry, the flow identifier is stored in memory 114. Once the flow identifier for the good flow is stored in memory 114, future incoming packets associated with the good flow are forwarded directly through the switch 110.

If memory 114 is full, new flow identifiers cannot be added as entries unless an existing entry is deleted/removed from memory 114, referred to herein as “aging out” a flow. Flow-aging manager 120 manages the flow-aging process and creates a flexible flow-aging environment where policies and/or rules affecting decisions and/or selections can be adapted to changing network conditions and/or a changing network environment. Thus, flow-aging manager 120 contributes to increasing efficiency in the forwarding of packets/traffic in a switch.

In particular, packet statistics unit 122 collects/maintains packet statistics for incoming traffic 101. The packet statistics can include, but are not limited to, cumulative packet counts for one or more flows, a change or delta in a packet count over a time interval, a ratio of two cumulative packet counts, and/or a ratio of a change or delta in two different packet counts over a time interval.

Packet statistics unit 122 may also collect statistics for reverse/outbound traffic associated with a flow. For example, in one embodiment, packet statistics unit 122 tracks the number of incoming Transmission Control Protocol (TCP) synchronize (SYN) packets received for a particular flow. Meanwhile, packet statistics unit 122 can also track the number of outbound TCP SYN-acknowledge (SYN-ACK) packets associated with the flow.

A packet statistics analyzer 124 analyzes the collected packet statistics based on a policy or set of rules. The policy or set of rules can be manually updated by a network administrator or it can be dynamically updated based on network conditions. Packet statistics analyzer 124 prioritizes flows using the packet statistics and the policy (or set of rules). For example, in one embodiment, packet statistics analyzer 124 uses “packet count over time” statistics and gives higher priority to a high volume flow than to a low volume flow. Or, in another embodiment, priority may be given to a particular type of flow (e.g., mail traffic, file transfer protocol (FTP) traffic, structured query language (SQL) traffic, etc.).

Flow selector 126 selects flows to be aged out based on the packet statistics analysis and the flow-aging policy. When a flow identifier is presented for addition into memory 114, flow selector 126 selects an entry, if any, to be removed from memory 114 so that the new flow identifier can be added. Based on the policy, flow selector 126 may determine not to remove any entries from the table, thus denying the addition of the new flow identifier to the table.

When the flow selector 126 selects an entry for removal from memory 114, the selection is communicated to flow handler 112 and the selected flow identifier is removed from memory 114. Once a flow identifier is removed from memory 114, future incoming packets associated with the removed flow identifier will be redirected to traffic selector 116, and possibly IPS 130, instead of being forwarded directly through switch 110. If packets associated with the removed flow identifier are redirected and later inspected by IPS 130 and the corresponding flow is again tagged as a good flow, the removed flow identifier will be forwarded to flow-aging manager 120 and evaluated for re-entry into memory 114. Depending on the network conditions and/or associated flow-aging policies/rules, the previously removed flow identifier may or may not be re-admitted into memory 114.

FIG. 2 illustrates another embodiment of the invention. A network switch (or other network device) receives a flow identifier from an external IPS device 210 and a storage request is made for the flow identifier. Flow identifiers may be stored in a cache, a memory, or other storage medium. When a flow identifier is stored in memory, it distinguishes the associated flow from other traffic flowing through a switch or network device. For example, in one embodiment, flow identifiers are stored to distinguish known good flows from unknown flows or from known network threats. In other embodiments, flow identifiers may be stored to differentiate between flows based on certain characteristics such as, for example, source and/or destination of the traffic, traffic types, traffic classes, etc. Thus, in one embodiment of the invention, if a flow identifier is stored in memory for a particular flow, packets associated with the flow are identified and forwarded directly through the switch without being redirected for further inspection.

The memory used for storing flow identifiers is of finite capacity. Thus, if a new flow identifier is received by the switch and the memory is full, a decision is made to determine whether to remove a flow identifier from the memory (and subsequently add the new flow identifier) or to reject the new flow identifier.

To facilitate the decision-making process, the switch, or other network device, collects packet statistics 220 for traffic flowing through the switch or other network node. These statistics can include cumulative packet counts for one or more flows, a change or delta in a packet count over a time interval, a ratio of two cumulative packet counts, and/or a ratio of a change or delta in two different packet counts over a time interval. In one embodiment, packet statistics are collected only for those flows having an associated flow identifier stored in memory. In other embodiments, packet statistics can be collected for a selected/desired group or subset of flows.

The collected packet statistics are analyzed based on a policy or set of rules. The policy or set of rules can be manually updated by a network administrator or it can be dynamically updated based on network conditions. Flows are then prioritized, 230, using the packet statistics and the policy (or set of rules). For example, in one embodiment, priority is determined using “packet count over time” statistics (i.e., higher priority is given to a high volume flow than to a low volume flow). In another embodiment, priority is determined based on the particular type of flow (e.g., mail traffic, FTP traffic, SQL traffic, etc.). Other priority schemes may also be used.

Once the flows have been prioritized, the system determines whether to remove a flow identifier from memory 240. The stored flow identifier having the lowest priority is selected and is compared against the flow identifier received from the IPS device. The flow-aging policy determines whether to keep the selected flow identifier (and deny entry to the received flow identifier) or to remove the selected flow identifier and add the received flow identifier to the memory. For example, the flow-aging policy may give priority to higher volume flows. Thus, if the flow associated with the selected flow identifier has a higher volume than the flow for the received flow identifier, the system will determine to keep the selected flow identifier and deny entry to the received flow identifier. On the other hand, if the flow associated with the selected flow identifier has a lower volume than the flow for the received flow identifier, the system will determine to remove the selected flow identifier and subsequently add the received flow identifier to the memory.

Embodiments of the invention described above may include hardware, software, and/or a combination of these. In a case where an embodiment includes software, the software data, instructions, and/or configuration may be provided via an article of manufacture by a machine/electronic device/hardware. An article of manufacture may include a machine accessible/readable medium having content to provide instructions, data, etc. The content may result in an electronic device, for example, a filer, a disk, or a disk controller as described herein, performing various operations or executions described. A machine accessible medium includes any mechanism that provides (i.e., stores and/or transmits) information/content in a form accessible by a machine (e.g., computing device, electronic device, electronic system/subsystem, etc.). For example, a machine accessible medium includes recordable/non-recordable media (e.g., read only memory (ROM), random access memory (RAM), magnetic disk storage media, optical storage media, flash memory devices, etc. The machine accessible medium may further include an electronic device having code loaded on a storage that may be executed when the electronic device is in operation. Thus, delivering an electronic device with such code may be understood as providing the article of manufacture with such content described above.

As used herein, references to one or more “embodiments” are to be understood as describing a particular feature, structure, or characteristic included in at least one implementation of the invention. Thus, phrases such as “in one embodiment” or “in an alternate embodiment” appearing herein describe various embodiments and implementations of the invention, and do not necessarily all refer to the same embodiment. However, they are also not necessarily mutually exclusive. The above descriptions of certain details and implementations, including the description of the figures, may depict some or all of the embodiments described above, as well as discussing other potential embodiments or implementations of the inventive concepts presented herein.

Besides what is described herein, various modifications may be made to the disclosed embodiments and implementations of the invention without departing from their scope. Therefore, the illustrations and examples herein should be construed in an illustrative, and not a restrictive sense. The scope of the invention should be measured solely by reference to the claims that follow.

Claims (20)

1. A method for aging network flows in a switch, comprising:
receiving, from an Intrusion Prevention System (IPS) device, a new network flow identifier for a new network flow, wherein the new network flow is in addition to a plurality of existing network flows communicatively interfaced through the switch;
collecting packet statistics for each of the plurality of existing network flows through the switch, each of the plurality of existing network flows having a corresponding network flow identifier stored in a memory of the switch;
prioritizing the plurality of existing network flows based at least in part on the packet statistics collected in view of a dynamic network flow-aging policy, wherein the dynamic network flow-aging policy prioritizes higher volume network flows among the plurality of existing network flows above lower volume network flows among the same plurality of existing network flows;
removing a network flow identifier stored in the memory of the switch corresponding to one of the plurality of existing network flows based at least in part on the prioritization of the plurality of existing network flows and the dynamic network flow-aging policy;
storing the new network flow identifier for the new network flow in the memory of the switch among the remaining network flow identifiers not removed from the memory of the switch that correspond to the plurality of existing network flows; and
forwarding packets associated with any of the plurality of existing network flows having a corresponding network flow identifier stored in the memory of the switch and/or the new network flow having the new network flow identifier stored in the memory of the switch without redirecting the packets to the IPS device.
2. The method of claim 1, wherein the IPS device performs deep packet inspection upon packets to determine whether the packets associated with a particular network flow present a security threat, and wherein the method further comprises the IPS device notifying the switch that a particular network flow is a good network flow that does not represent a threat when no such threat is found through the deep packet inspection and further wherein the IPS device notifies the switch that a particular network flow is a bad network flow that represents a security threat when such a threat is found through the deep packet inspection.
3. The method of claim 1, wherein the plurality of existing network flows having a corresponding network flow identifier stored in the memory of the switch and the new network flow having the new network flow identifier stored in the memory of the switch are all identified by the IDS device as being good network flows that do not represent a threat pursuant to the deep packet inspection of the IDS device.
4. The method of claim 1, wherein collecting packet statistics for each of the network flows comprises maintaining at least one of a packet count over a specified period of time, a total packet count, a packet ratio for a network flow, a packet ratio between different network flows, and a rate of change of a network flow.
5. The method of claim 1, wherein prioritizing the packet statistics comprises comparing packet statistics for a first network flow against packet statistics for a second network flow.
6. The method of claim 1, wherein prioritizing the packet statistics comprises comparing a first packet count over a specified period of time for a first network flow against a second packet count over a specified period of time for a second network flow.
7. The method of claim 1, wherein removing the network flow identifier stored in the memory of the switch corresponding to one of the plurality of existing network flows based at least in part on the prioritization of the plurality of existing network flows and the dynamic network flow-aging policy comprises:
receiving one or more results of prioritizing the plurality of existing network flows based on the packet statistics collected;
selecting a lowest priority network flow identifier from the network flow identifiers stored in the memory based on the prioritization of the plurality of existing network flows; and
determining, based at least in part on the dynamic network flow-aging policy, to replace the selected lowest priority network flow identifier with the received new network flow identifier.
8. The method of claim 1, wherein each network flow identifier comprises a 5-tuple of characteristics uniquely identifying each network flow, the 5-tuple comprising a source address, a destination address, a source port, a destination port, and a protocol for the corresponding network flow identified by the 5-tuple.
9. A network flow-aging manager for a network switch, comprising: a packet statistics unit to collect packet statistics for a plurality of existing network flows; a packet statistics analyzer coupled to the packet statistics unit to analyze the packet statistics according to a dynamic network flow-aging policy and prioritize the network flows in accordance with the dynamic network flow-aging policy, wherein the dynamic network flow-aging policy prioritizes higher volume network flows among the plurality of existing network flows above lower volume network flows among the same plurality of existing network flows; and a network flow selector coupled to the packet statistics analyzer to select a network flow for removal based at least in part on network flow priority and the dynamic network flow-aging policy and removing a network flow identifier corresponding to the selected network flow from a memory of the switch; the memory of the switch to store a new network flow identifier for a new network flow among a plurality of remaining network flow identifiers not removed from the memory of the switch which correspond to the plurality of existing network flows; and a packet forwarder to forward packets associated with any of the plurality of existing network flows having a corresponding network flow identifier stored in the memory of the switch and/or the new network flow having the new network flow identifier stored in the memory of the switch without redirecting the packets to an Intrusion Prevention System (IPS) device.
10. The network flow-aging manager of claim 9, wherein the packet statistics unit comprises a packet counter to count packets over time associated with each of the plurality of network flows.
11. The network flow-aging manager of claim 9, wherein the packet analyzer compares a first packet count over time for a first network flow against a second packet count over time for a second network flow.
12. The network flow-aging manager of claim 9, wherein the packet analyzer compares a packet count over time for a network flow against a threshold.
13. The network flow-aging manager of claim 12, wherein the threshold changes dynamically based at least in part on the packet statistics.
14. The network flow-aging manager of claim 9, wherein the packet analyzer determines a rate of change of packets in a first network flow and compares the rate of change to at least one of a threshold and a second rate of change of packets in a second network flow.
15. The network flow-aging manager of claim 14, wherein the threshold is determined, at least in part, by the dynamic network flow-aging policy.
16. The network flow-aging manager of claim 9, wherein the packet statistics analyzer further determines a ratio of incoming packets to outgoing packets for a network flow and wherein the packet statistics analyzer to further prioritize the network flows based on the determined ratio.
17. An article of manufacture comprising a non-transitory machine-accessible medium having content to provide instructions to result in an electronic device performing operations including: storing, in a memory, a network flow identifier for each of a plurality of network flows; maintaining packet statistics for each of the network flows; prioritizing the plurality of network flows based at least in part on the packet statistics in view of a dynamic network flow-aging policy, wherein the dynamic network flow-aging policy prioritizes higher volume network flows above lower volume network flows; selecting a network flow identifier for removal from the memory based at least in part on network flow priority and the dynamic network flow-aging policy; removing the selected network flow identifier from the memory; storing a new network flow identifier for the a network flow in the memory among the remaining network flow identifiers not removed from the memory; and forwarding packets associated with any of the plurality of existing network flows having a corresponding network flow identifier stored in the memory and/or the new network flow having the new network flow identifier stored in the memory without redirecting the packets to an Intrusion Prevention System (IPS) device.
18. The article of manufacture of claim 17, wherein storing a network flow identifier for each of the plurality of network flows comprises storing a source and destination address, a source and destination port, and a protocol for the each of the network flows.
19. The article of manufacture of claim 17, the medium having content to provide instructions to result in the electronic device performing further operations including maintaining packet counters over time for each of the plurality of network flows.
20. The article of manufacture of claim 17, the medium having content to provide instructions to result in the electronic device performing further operations including maintaining at least one of a packet count over a specified period of time, a total packet count, a packet ratio for a network flow, a packet ratio between different network flows, and a rate of change of a network flow.
US11479176 2006-06-30 2006-06-30 Flexible flow-aging mechanism Active 2028-03-20 US7817549B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11479176 US7817549B1 (en) 2006-06-30 2006-06-30 Flexible flow-aging mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11479176 US7817549B1 (en) 2006-06-30 2006-06-30 Flexible flow-aging mechanism

Publications (1)

Publication Number Publication Date
US7817549B1 true US7817549B1 (en) 2010-10-19

Family

ID=42941235

Family Applications (1)

Application Number Title Priority Date Filing Date
US11479176 Active 2028-03-20 US7817549B1 (en) 2006-06-30 2006-06-30 Flexible flow-aging mechanism

Country Status (1)

Country Link
US (1) US7817549B1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080232275A1 (en) * 2007-03-23 2008-09-25 Anand Eswaran Data-Type-Based Network Path Configuration
US20100142560A1 (en) * 2007-07-05 2010-06-10 Ceragon Networks Ltd. Data packet header compression
US8441961B1 (en) 2012-12-24 2013-05-14 Sideband Networks, Inc. Metadata-driven switch network control
US20130265905A1 (en) * 2012-04-09 2013-10-10 Cisco Technology, Inc. Distributed demand matrix computations
CN103370911A (en) * 2011-02-17 2013-10-23 日本电气株式会社 Flow communication system
CN103380600A (en) * 2011-02-17 2013-10-30 日本电气株式会社 Network system and network flow tracking method
US20130308651A1 (en) * 2012-05-21 2013-11-21 Huawei Technologies Co., Ltd Packet Processing Method, Device and System
US20140108632A1 (en) * 2012-10-15 2014-04-17 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
CN103891221A (en) * 2011-09-21 2014-06-25 日本电气株式会社 Communication apparatus, control apparatus, communication system, communication control method, and computer program
US20150085678A1 (en) * 2013-09-23 2015-03-26 Calix, Inc. Distributed system and method for flow identification in an access network
JPWO2013133400A1 (en) * 2012-03-09 2015-07-30 日本電気株式会社 Controller, a communication system, the switch control method, and program
US9319293B2 (en) 2013-07-31 2016-04-19 Calix, Inc. Methods and apparatuses for network flow analysis and control
EP3001617A4 (en) * 2013-06-28 2016-07-06 Huawei Tech Co Ltd Entry adding method and switch
US9391903B2 (en) 2013-07-15 2016-07-12 Calix, Inc. Methods and apparatuses for distributed packet flow control
US9660879B1 (en) * 2016-07-25 2017-05-23 Extrahop Networks, Inc. Flow deduplication across a cluster of network monitoring devices
US9843520B1 (en) * 2013-08-15 2017-12-12 Avi Networks Transparent network-services elastic scale-out

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6272598B1 (en) * 1999-03-22 2001-08-07 Hewlett-Packard Company Web cache performance by applying different replacement policies to the web cache
US20020083175A1 (en) 2000-10-17 2002-06-27 Wanwall, Inc. (A Delaware Corporation) Methods and apparatus for protecting against overload conditions on nodes of a distributed network
US20030204621A1 (en) * 2002-04-30 2003-10-30 Poletto Massimiliano Antonio Architecture to thwart denial of service attacks
US6909724B1 (en) * 1999-07-02 2005-06-21 Cisco Technology, Inc. Synchronizing service instructions among forwarding agents using a service manager
US20050213570A1 (en) * 2004-03-26 2005-09-29 Stacy John K Hardware filtering support for denial-of-service attacks
US6954739B1 (en) 1999-11-16 2005-10-11 Lucent Technologies Inc. Measurement-based management method for packet communication networks
US20060146708A1 (en) * 2003-02-28 2006-07-06 Matsushita Electric Industrial Co., Ltd Packet transfer control method and packet transfer control circuit
US20060187836A1 (en) * 2005-02-18 2006-08-24 Stefan Frey Communication device and method of prioritizing transference of time-critical data
US20060212572A1 (en) 2000-10-17 2006-09-21 Yehuda Afek Protecting against malicious traffic
US20070204117A1 (en) * 2006-02-28 2007-08-30 Red. Hat, Inc. Kernel and application cooperative memory management
US20070268829A1 (en) 2006-05-18 2007-11-22 Michael Corwin Congestion management groups
US7317693B1 (en) * 2003-05-12 2008-01-08 Sourcefire, Inc. Systems and methods for determining the network topology of a network
US7349332B1 (en) * 2002-07-03 2008-03-25 Netlogic Microsystems, Inc. Apparatus for queuing different traffic types
US7369557B1 (en) * 2004-06-03 2008-05-06 Cisco Technology, Inc. Distribution of flows in a flow-based multi-processor system
US7389537B1 (en) 2001-10-09 2008-06-17 Juniper Networks, Inc. Rate limiting data traffic in a network
US7394756B1 (en) 2003-03-17 2008-07-01 Sprint Communications Company L.P. Secure hidden route in a data network
US7408932B2 (en) 2003-10-20 2008-08-05 Intel Corporation Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing
US7464407B2 (en) 2002-08-20 2008-12-09 Nec Corporation Attack defending system and attack defending method
US7478156B1 (en) * 2003-09-25 2009-01-13 Juniper Networks, Inc. Network traffic monitoring and reporting using heap-ordered packet flow representation
US7489640B2 (en) * 2003-09-30 2009-02-10 Agere Systems Inc. Processor with continuity check cache

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6272598B1 (en) * 1999-03-22 2001-08-07 Hewlett-Packard Company Web cache performance by applying different replacement policies to the web cache
US6909724B1 (en) * 1999-07-02 2005-06-21 Cisco Technology, Inc. Synchronizing service instructions among forwarding agents using a service manager
US6954739B1 (en) 1999-11-16 2005-10-11 Lucent Technologies Inc. Measurement-based management method for packet communication networks
US20060212572A1 (en) 2000-10-17 2006-09-21 Yehuda Afek Protecting against malicious traffic
US20020083175A1 (en) 2000-10-17 2002-06-27 Wanwall, Inc. (A Delaware Corporation) Methods and apparatus for protecting against overload conditions on nodes of a distributed network
US7389537B1 (en) 2001-10-09 2008-06-17 Juniper Networks, Inc. Rate limiting data traffic in a network
US20030204621A1 (en) * 2002-04-30 2003-10-30 Poletto Massimiliano Antonio Architecture to thwart denial of service attacks
US7349332B1 (en) * 2002-07-03 2008-03-25 Netlogic Microsystems, Inc. Apparatus for queuing different traffic types
US7464407B2 (en) 2002-08-20 2008-12-09 Nec Corporation Attack defending system and attack defending method
US20060146708A1 (en) * 2003-02-28 2006-07-06 Matsushita Electric Industrial Co., Ltd Packet transfer control method and packet transfer control circuit
US7394756B1 (en) 2003-03-17 2008-07-01 Sprint Communications Company L.P. Secure hidden route in a data network
US7317693B1 (en) * 2003-05-12 2008-01-08 Sourcefire, Inc. Systems and methods for determining the network topology of a network
US7478156B1 (en) * 2003-09-25 2009-01-13 Juniper Networks, Inc. Network traffic monitoring and reporting using heap-ordered packet flow representation
US7489640B2 (en) * 2003-09-30 2009-02-10 Agere Systems Inc. Processor with continuity check cache
US7408932B2 (en) 2003-10-20 2008-08-05 Intel Corporation Method and apparatus for two-stage packet classification using most specific filter matching and transport level sharing
US20050213570A1 (en) * 2004-03-26 2005-09-29 Stacy John K Hardware filtering support for denial-of-service attacks
US7369557B1 (en) * 2004-06-03 2008-05-06 Cisco Technology, Inc. Distribution of flows in a flow-based multi-processor system
US20060187836A1 (en) * 2005-02-18 2006-08-24 Stefan Frey Communication device and method of prioritizing transference of time-critical data
US20070204117A1 (en) * 2006-02-28 2007-08-30 Red. Hat, Inc. Kernel and application cooperative memory management
US20070268829A1 (en) 2006-05-18 2007-11-22 Michael Corwin Congestion management groups

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Final Office Action for U.S. Appl. No. 11/479,177, Mailed Oct. 6, 2009, 13 pages.
Non-Final Office Action for U.S. Appl. No. 11/479,177 Mailed Mar. 19, 2009, 21 pages.
Non-Final Office Action for U.S. Appl. No. 11/479,177, Mailed Dec. 23, 2009, 14 pages.

Cited By (37)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8509075B2 (en) * 2007-03-23 2013-08-13 Hewlett-Packard Development Company, Lp Data-type-based network path configuration
US20080232275A1 (en) * 2007-03-23 2008-09-25 Anand Eswaran Data-Type-Based Network Path Configuration
US20100142560A1 (en) * 2007-07-05 2010-06-10 Ceragon Networks Ltd. Data packet header compression
US8243757B2 (en) * 2007-07-05 2012-08-14 Ceragon Networks Ltd. MAC header compression using a pointer
CN103370911A (en) * 2011-02-17 2013-10-23 日本电气株式会社 Flow communication system
US9313128B2 (en) 2011-02-17 2016-04-12 Nec Corporation Network system and network flow tracing method
US9560177B2 (en) 2011-02-17 2017-01-31 Nec Corporation Network system and network flow tracing method
CN103380600A (en) * 2011-02-17 2013-10-30 日本电气株式会社 Network system and network flow tracking method
US20130308645A1 (en) * 2011-02-17 2013-11-21 Shuichi Karino Flow communication system
US9083657B2 (en) * 2011-02-17 2015-07-14 Nec Corporation Flow communication system
EP2676410A1 (en) * 2011-02-17 2013-12-25 Nec Corporation Flow communication system
JP2014506021A (en) * 2011-02-17 2014-03-06 日本電気株式会社 Flow communication system
EP2676410A4 (en) * 2011-02-17 2014-09-24 Nec Corp Flow communication system
CN103370911B (en) * 2011-02-17 2016-08-10 日本电气株式会社 Streaming communication system
US20140376394A1 (en) * 2011-09-21 2014-12-25 Nec Corporation Communication apparatus, control apparatus, communication system, communication control method, and computer program
CN103891221A (en) * 2011-09-21 2014-06-25 日本电气株式会社 Communication apparatus, control apparatus, communication system, communication control method, and computer program
JPWO2013133400A1 (en) * 2012-03-09 2015-07-30 日本電気株式会社 Controller, a communication system, the switch control method, and program
US20130265905A1 (en) * 2012-04-09 2013-10-10 Cisco Technology, Inc. Distributed demand matrix computations
CN104221328A (en) * 2012-04-09 2014-12-17 思科技术公司 Distributed demand matrix computations
CN104221328B (en) * 2012-04-09 2017-11-17 思科技术公司 Distributed computing demand matrix
US9106510B2 (en) * 2012-04-09 2015-08-11 Cisco Technology, Inc. Distributed demand matrix computations
US20130308651A1 (en) * 2012-05-21 2013-11-21 Huawei Technologies Co., Ltd Packet Processing Method, Device and System
US9742667B2 (en) * 2012-05-21 2017-08-22 Huawei Technologies Co., Ltd. Packet processing method, device and system
US9385948B2 (en) * 2012-05-21 2016-07-05 Huawei Technologies Co., Ltd. Packet processing method, device and system
CN104737504A (en) * 2012-10-15 2015-06-24 思科技术公司 System and method for efficient use of flow table space in a network environment
US20140108632A1 (en) * 2012-10-15 2014-04-17 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
WO2014062365A1 (en) * 2012-10-15 2014-04-24 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
US9548920B2 (en) * 2012-10-15 2017-01-17 Cisco Technology, Inc. System and method for efficient use of flow table space in a network environment
US8441961B1 (en) 2012-12-24 2013-05-14 Sideband Networks, Inc. Metadata-driven switch network control
EP3001617A4 (en) * 2013-06-28 2016-07-06 Huawei Tech Co Ltd Entry adding method and switch
US9942113B2 (en) 2013-06-28 2018-04-10 Huawei Technologies Co., Ltd. Entry adding method and switch
US9391903B2 (en) 2013-07-15 2016-07-12 Calix, Inc. Methods and apparatuses for distributed packet flow control
US9319293B2 (en) 2013-07-31 2016-04-19 Calix, Inc. Methods and apparatuses for network flow analysis and control
US9843520B1 (en) * 2013-08-15 2017-12-12 Avi Networks Transparent network-services elastic scale-out
US9240938B2 (en) * 2013-09-23 2016-01-19 Calix, Inc. Distributed system and method for flow identification in an access network
US20150085678A1 (en) * 2013-09-23 2015-03-26 Calix, Inc. Distributed system and method for flow identification in an access network
US9660879B1 (en) * 2016-07-25 2017-05-23 Extrahop Networks, Inc. Flow deduplication across a cluster of network monitoring devices

Similar Documents

Publication Publication Date Title
US7120934B2 (en) System, method and apparatus for detecting, identifying and responding to fraudulent requests on a network
US6377577B1 (en) Access control list processing in hardware
Kruegel et al. Stateful intrusion detection for high-speed network's
US7215637B1 (en) Systems and methods for processing packets
US7054930B1 (en) System and method for propagating filters
US20100095367A1 (en) Dynamic access control policy with port restrictions for a network security appliance
US7463590B2 (en) System and method for threat detection and response
US20060272018A1 (en) Method and apparatus for detecting denial of service attacks
US20100281539A1 (en) Detecting malicious network software agents
US20080077705A1 (en) System and method of traffic inspection and classification for purposes of implementing session nd content control
US20020133586A1 (en) Method and device for monitoring data traffic and preventing unauthorized access to a network
US20070022474A1 (en) Portable firewall
US20050021740A1 (en) Detecting and protecting against worm traffic on a network
US20080005293A1 (en) Router and method for server load balancing
US7409712B1 (en) Methods and apparatus for network message traffic redirection
US20070006293A1 (en) Multi-pattern packet content inspection mechanisms employing tagged values
US7039053B1 (en) Packet filter policy verification system
US7120931B1 (en) System and method for generating filters based on analyzed flow data
US20040264373A1 (en) Packet classification
US20080289040A1 (en) Source/destination operating system type-based IDS virtualization
US20040088571A1 (en) Network service zone locking
US20060146816A1 (en) System and method for integrated header, state, rate and content anomaly prevention for domain name service
US7174566B2 (en) Integrated network intrusion detection
US20070056038A1 (en) Fusion instrusion protection system
US20040111531A1 (en) Method and system for reducing the rate of infection of a communications network by a software worm

Legal Events

Date Code Title Description
AS Assignment

Owner name: EXTREME NETWORKS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KASRALIKAR, RAHUL;FOWLER, JEFFREY;SIGNING DATES FROM 20061220 TO 20070203;REEL/FRAME:018885/0059

FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECURITY AGREEMENT;ASSIGNOR:EXTREME NETWORKS, INC.;REEL/FRAME:036189/0284

Effective date: 20150724

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: AMENDED AND RESTATED PATENT AND TRADEMARK SECURITY AGREEMENT;ASSIGNOR:EXTREME NETWORKS, INC.;REEL/FRAME:040521/0762

Effective date: 20161028

AS Assignment

Owner name: SILICON VALLEY BANK, CALIFORNIA

Free format text: SECOND AMENDED AND RESTATED PATENT AND TRADEMARK SECURITY AGREEMENT;ASSIGNOR:EXTREME NETWORKS, INC.;REEL/FRAME:043200/0614

Effective date: 20170714

AS Assignment

Owner name: EXTREME NETWORKS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:SILICON VALLEY BANK;REEL/FRAME:043747/0694

Effective date: 20170929

AS Assignment

Owner name: RPX CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:EXTREME NETWORKS, INC.;REEL/FRAME:044087/0334

Effective date: 20171003

MAFP

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552)

Year of fee payment: 8